I've managed to find time to capture some data from the other 2 controllers I have, but the sad state of my laptop has prevented me doing too much. Thankfully a new laptop is arriving soon and I have taken the time to look at the data I did capture in more detail.

Preamble & Sync Words

From the original controller I was expecting to see

  • 40 byte preamble
  • 4 sync words, 0x5a475250

Sure enough that was exactly what I found :-) Looking at the decoded hex for the 2nd controller,

    0                       8
    --------------------------
00: aa aa aa aa aa 5a 47 52 50
01: aa aa aa aa aa 5a 47 52 50
02: aa aa aa aa aa 5a 47 52 50
03: aa aa aa aa aa 5a 47 52 50
04: aa aa aa aa aa 5a 47 52 50
Preamble and sync words from a capture

This confirms my initial theories and shows that the sync words are fixed across all controllers.

Identifier?

Having found that the next 4 bytes were variable but the subsequent 4 (which I believe to be an identifier) were identical, I checked this for the additional controllers. I expected the identifier to be different from the initial controller, but identical in all captured transmissions.

    9             13
    -----------   -----------
00: fd ee 1d 92   a7 4d 02 2b
01: ff e9 15 a6   a7 4d 02 2b
02: ff e9 15 a6   a7 4d 02 2b
03: ff e9 15 a6   a7 4d 02 2b
04: fd ee 1d 92   a7 4d 02 2b
Bytes from capture
    9             13
    -----------   -----------
00: 3d ee 1d 92   ae 4d 39 1a
01: 3f e9 15 a6   ae 4d 39 1a
02: 3f e9 15 a6   ae 4d 39 1a
03: 3f e9 15 a6   ae 4d 39 1a
04: 3d ee 1d 92   ae 4d 39 1a
Bytes from capture

This seems to confirm that the second 4 byte block is a unique identifier. Whether it is unique to the controller or the controller & receiver pairing I will investigate further.

If the second 4 byte block is an identifier, then a logical assumption is that the first 4 byte block is a message header. With the variable length of the messages I was expecting to see a length encoded somewhere, but it's not obvious.

This means presently I consider the RF data to be formatted as

aa aa aa aa aa      5 byte preamble
5a 47 52 50         4 byte sync word
xx xx xx xx         4 byte header (???)
xx xx xx xx         4 byte identifer
xx xx xx xx xx      variable length payload
Current packet format description

Message Lengths

Looking at the messages there are only a few payload lengths that are received. Checking the control bytes against the payload length shows there is a relationship.

3dee1d92: [52, 52, 52, 52, 52, 52, 52, 52, 52, 52, 52, 52, 52, 52, 52,              52, 52, 52, 52, 52, 52]
3fe915a6: [16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16,              16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16,              16, 16, 16, 16], 
3fec1292: [84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84, 84,              84, 84, 84, 84, 84, 84, 84]
Control bytes and payload lengths from one capture

The first byte of the payload is another candidate for the length and in fact looking at that byte shows another relationship.

52 bytes: ['aa', 'ad', 'a1', 'a1', 'ad', 'af', 'a3', 'a3', 'af', 'a9', 'ad', 'a1', 'a1', 'a9', 'aa', 'ae', 'a2', 'a4', 'a8', 'ab', 'a7']
16 bytes: ['ee', 'e3', 'e9', 'e5', 'e7', 'e5', 'e3', 'e9', 'eb', 'eb', 'ef', 'e7', 'e8', 'e7', 'ec', 'eb', 'e4', 'e8', 'e0', 'e5', 'e4', 'e5', 'e0', 'ed', 'e8', 'e6', 'ec', 'ec', 'e0', 'ed', 'ec', 'e5', 'ef', 'e1']
84 bytes: ['ac', 'a4', 'a0', 'a4', 'a0', 'a8', 'ac', 'a6', 'a2', 'aa', 'ae', 'a8', 'a8', 'a4', 'a0', 'a3', 'a7', 'a3', 'ab', 'af', 'aa', 'ae']
First byte of payload vs payload length

The next step is to capture a pairing sequence and see if that reveals any more useful information.